ONC to offer mobile device security tips

The Office of the National Coordinator for Health IT (ONC) will help small providers who use smart phones and other mobile devices learn how to easily secure them using simple steps explained in plain language.

Research shows that about 81 percent of physicians use smart phones or tablet devices. The small size of these devices make them easy to lose on subways and airplanes or stolen. Yet very few safeguard them, such as using encryption, making it easy for unauthorized users to access information.

ONC has conducted research on mobile endpoint security, where they take devices out of the box from the local electronics stores and apply manual configuration for better controls to support security, said Will Phelps, an IT security specialist in ONC’s Office of the Chief Privacy Officer.

“You have to make sure that the devices are able to apply the appropriate security controls to make sure that the patient records are protected. We want to reach out to the provider community to make sure that they are able to do these things,” he said at the June 11 Government Health IT conference sponsored by HIMSS.

ONC studies of out-of-the-box security configuration found that most mobile phones did not meet more than 40 percent of security requirements, such as the ability to encrypt information, he said.

After manual configuration, test results improved significantly, especially for the iPhone and Blackberry models, which met 60 percent of the security requirements. Other phones did not fare as well after manual configuration.

Initially, ONC will focus on small and medium-sized providers. “They may not have an IT staff or third-party vendor to manage their devices for them. So we want to get them to a point where their devices are operating as securely as possible,” Phelps said, adding that the security configurations are available on the devices right out of the box but must be manually configured.

ONC will describe scenarios or use cases around which to offer practical information for mobile device security, said Kathryn Marchesini, an attorney in ONC’s Office of the Chief Privacy Officer.

These will include remote use from a coffee shop, sending e-mail, or what to do if providers bring their own devices, which may not necessarily be credentialed in the organization, and whether they should be allowed to connect to the system’s network or not.

Some providers may not realize they need a policy around the use of mobile devices, or that they need to take an inventory of mobile devices. “It may seem basic, but we hear every day that practicing providers are struggling with these issues,” she said.

The Health Insurance Portability and Accountability Act (HIPAA) provides security guidance around remote use. The proposed rule for meaningful use stage 2 also calls for encryption of data at rest.

In its next phase, ONC will test third-party vendor security tools applied to devices to see how well they score on information protection. Overall, ONC plans to design outreach for vendors, providers and patients for security awareness around mobile devices and training to follow.

ONC is also incorporating in its mobile security outreach the regional health IT extension centers, which offer technical assistance in providers’ offices “to make sure we identify real scenarios and practical solutions,” Marchesini said.